Password Strength Meters on Websites Are Doing a Terrible Job

An anonymous reader shares a report on The Register: Password strength meters used during web sites' signup process remain incapable of doing their job, says Compound Eye developer Mark Stockley. Indeed, a majority of security experts consider the tools a useless control that grant little more than an illusion of protection. Stockley revisited his examination of five popular password meters and found they failed to prevent users from entering the world's worst passwords. "You can't trust password strength meters on websites," Stockley says. "The passwords I used in the test are all, deliberately, absolutely dreadful ... they're chosen from a list of the 10,000 most common passwords and have characteristics I thought the password strength meters might overrate." The basis for his argument is that the meters rate character complexity but fail to identify those combinations that can be guessed outright such as popular passwords or those based on cliches.

My code is called

[s.petry]

populate_mah_rainbow_tables.js

Humor aside, people should never, ever, ever never type their real password into a site "checking strength". My humor has a whole lot of reality involved.

Re:What drives me insane:

> 1) Restricting what characters I may use in my password (no / or % or & or whatever)

I recently signed up for a website where it said "special characters are ok". But no matter what I put I couldn't get the password to be accepted. Until I actually took OUT the special character &, and then it worked. (facepalm)